Getting Started With Microsoft's pktmon
I was bummed when I learned that Microsoft wasn’t developing Microsoft Message Analyzer as of Nov 2019.
I am excited that Microsoft is providing a native packet capture tool. I have already covered how to use netsh trace (https://www.networkcomputing.com/networking/capturing-packets-natively-microsoft-windows) but I’m hoping that pktmon will be even better.
This all started when I read the following articles:
So I thought an intro or quickstart video would be helpful to those of you who are curious about Pktmon.
Here's a bunch of summary notes
· elevated command prompt required for pktmon
· change dir to your desktop cd %userprofile%\desktop
· mkdir a test folder pktmon md pktmon
· check out your adapter details pktmon comp list or pktmon comp list –i to see all adapters and note your adapter id mine is 9
pktmon start options
-c to select a specific adapter or component using the id value provided in the pktmon comp list output. default is all adapters/components
--etw start a capture session
-p packet size. default is 128 bytes and a value of 0 is the full size frame
-f is the etl file name. default is pktmon.etl
-s maximum file size. default is 512 mb i don’t think this works
default –l or log-mode is circular where new events overwrite the oldest ones
the command I used to convert etl to pcang is pktmon pcapng PktMon.etl
Let me know if you find this helpful and I will proceed with more options, testing, etc.. For example my next article would cover filtering, then the various log/file options